From: [victim]The link in the email goes to a bit.ly address that forwards to [donotclick]informativoministeriopublico.info/2014-20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAAqid=20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAA.html which has garnered a fair number of clicks according to the bit.ly statistics:
Date: 11 August 2014 14:33
Subject: Ministerio Publico federal 11 08 2014 07:35
Scan Security Avast, NOD 100% Seguro.
The malware site informativoministeriopublico.info has been created specifically for this purpose with anonymous registration details, and is hosted on 184.108.40.206 (ClearVPS / ColoCrossing, US). This IP address has been used for a number of other similar sites:
The 220.127.116.11/25 range has some questionable sites in it, and you might want to block the whole lot as a precaution. You should definitely block 18.104.22.168 though.
The originating IP is 22.214.171.124 (Alog-02 Solucoes De Tecnologia Em Informatica S.a., Brazil). The presence of a Brazilian IP address as the sender is interesting, because it does make the email look more legitimate if the headers are examined.